Quantified Differential Temporal Dynamic Logic 
for Verifying Properties of Distributed Hybrid 

Systems* 



Ping Hou 

Computer Science Department, Carnegie Mellon University 



Abstract. We combine quantified differential dynamic logic (Qd£) for rea- 
soning about the possible behavior of distributed hybrid systems with tem- 
poral logic for reasoning about the temporal behavior during their opera- 
tion. Our logic supports verification of temporal and non-temporal prop- 
erties of distributed hybrid systems and provides a uniform treatment of dis- 
crete transitions, continuous evolution, and dynamic dimensionality-changes. 
For our combined logic, we generalize the semantics of dynamic modalities 
to refer to hybrid traces instead of final states. Further, we prove that this 
gives a conservative extension of Qd£ for distributed hybrid systems. On 
this basis, we provide a modular verification calculus that reduces correct- 
ness of temporal behavior of distributed hybrid systems to non-temporal 
reasoning, and prove that we obtain a complete axiomatization relative to 
the non-temporal base logic Qd£. Using this calculus, we analyze temporal 
safety properties in a distributed air traffic control system where aircraft 
can appear dynamically. 



1 Introduction 

Ensuring correct functioning of cyber-physical systems is among the most challeng- 
ing and most important problems in computer science, mathematics, and engineer- 
ing. Hybrid systems are common mathematical models for cyber-physical systems 
with interacting discrete and continuous behavior |6ll3j . Their behavior combines 
continuous evolution (called flow) characterized by differential equations and dis- 
crete jumps. However, not all relevant cyber-physical systems can be modeled as 
hybrid systems. Hybrid systems cannot represent physical control systems that are 
distributed or form a multi-agent system, e.g., distributed car control systems |15) 
and distributed air traffic control systems 8 . Such systems form distributed hybrid 
systems [7 16 21 22 with discrete, continuous, structural, and dimension-changing 
dynamics. Distributed hybrid systems combine the challenges of hybrid systems 
and distributed systems. Correctness of safety-critical real-time and distributed 
hybrid systems depends on a safe operation throughout all states of all possible 
trajectories, and the behavior at intermediate states is highly relevant |1I4I6I11(T5] . 
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Temporal logics (TL) use temporal operators to talk about intermediate states [119110125] . 
They have been used successfully in model checking [113113114118] of finite-state 
system abstractions. State spaces of distributed hybrid systems, however, often do 
not admit equivalent finite-state abstractions [13118] . Instead of model checking, 
TL can also be used deductively to prove validity of formulas in calculi [516] . Valid 
TL formulas, however, only express very generic facts that are true for all systems, 
regardless of their actual behavior. Hence, the behavior of a specific system first 
needs to be axiomatized declaratively to obtain meaningful results. Then, however, 
the correspondence between actual system operations and a declarative temporal 
representation may be questioned. 

Very recently, a dynamic logic, called quantified differential dynamic logic (QdC) 
has been introduced as a successful tool for deductively verifying distributed hybrid 
systems [21122] . QdC can analyze the behavior of actual distributed hybrid system 
models, which are specified operationally. Yet, operational distributed hybrid sys- 
tem models are internalized within QdC formulas, and QdC is closed under logical 
operators. However, QdC only considers the behavior of distributed hybrid systems 
at final states, which is insufficient for verifying safety properties that have to hold 
all the time. 

We close this gap of expressivity by combining QdC with temporal logic [9110123] . 
In this paper, we introduce a logic, called quantified differential temporal dynamic 
logic (QdTL), which provides modalities for quantifying over traces of distributed 
hybrid systems based on QdC. We equip QdTL with temporal operators to state 
what is true all along a trace or at some point during a trace. In this paper, 
we modify the semantics of the dynamic modality [a] to refer to all traces of a 
instead of all final states reachable with a (similarly for (a)). For instance, the 
formula [a]D0 expresses that 4> is true at each state during all traces of the dis- 
tributed hybrid system a. With this, QdTL can also be used to verify temporal 
statements about the behavior of a at intermediate states during system runs. As 
in our non-temporal dynamic logic QdC [21122] , we use quantified hybrid programs 
as an operational model for distributed hybrid systems, since they admit a uniform 
compositional treatment of interacting discrete transitions, continuous evolutions, 
and structural/dimension changes in logic. 

As a semantical foundation for combined temporal dynamic formulas, we intro- 
duce a hybrid trace semantics for QdTL. We prove that QdTL is a conservative 
extension of QdC: for non-temporal specifications, trace semantics is equivalent to 
the non-temporal transition semantics of QdC [21122] . 

As a means for verification, we introduce a sequent calculus for QdTL that suc- 
cessively reduces temporal statements about traces of quantified hybrid programs to 
non-temporal QdC formulas. In this way, we make the intuition formally precise that 
temporal safety properties can be checked by augmenting proofs with appropriate 
assertions about intermediate states. Like in |21|22j . our calculus works composi- 
tionally. It decomposes correctness statements about quantified hybrid programs 
structurally into corresponding statements about its parts by symbolic transforma- 
tion. 

Our approach combines the advantages of QdC in reasoning about the behaviour 
of operational distributed hybrid system models with those of TL to verify tempo- 



ral statements about traces. We show that QdTL is sound and relatively complete. 
We argue that QdTL can verify practical systems and demonstrate this by studying 
temporal safety properties in distributed air traffic control. Our primary contribu- 
tions are as follows: 

— We introduce a logic for specifying and verifying temporal properties of dis- 
tributed hybrid systems. 

— We present a proof calculus for this logic, which, to the best of our knowledge, 
is the first verification approach that can handle temporal statements about 
distributed hybrid systems. 

— We prove that this compositional calculus is a sound and complete axiomati- 
zation relative to differential equations. 

— We verify temporal safety properties in a collision avoidance maneuver in dis- 
tributed air traffic control, where aircraft can appear dynamically. 

2 Related Work 

Multi-party distributed control has been suggested for car control [TS] and air traffic 
control [3]. Due to limits in verification technology, no formal analysis of tempo- 
ral statements about the distributed hybrid dynamics has been possible for these 
systems yet. Analysis results include discrete message handling |15j or collision 
avoidance for two participants [3J. 

The importance of understanding dynamic/reconfigurable distributed hybrid 
systems was recognized in modeling languages SHIFT [7] and R-Charon [16]. They 
focused on simulation/compilation [7] or the development of a semantics [IB], so 
that no verification is possible yet. 

Other process-algebraic approaches, like x [22]; have been developed for mod- 
eling and simulation. Verification is still limited to small fragments that can be 
translated directly to other verification tools like PHAVer or UPPAAL, which do 
not support distributed hybrid systems. 

Our approach is completely different. It is based on first-order structures and 
dynamic logic. We focus on developing a logic that supports temporal and non- 
temporal statements about distributed hybrid dynamics and is amenable to auto- 
mated theorem proving in the logic itself. 

Our previous work and other verification approaches for static hybrid systems 
cannot verify distributed hybrid systems. Distributed hybrid systems may have 
an unbounded and changing number of components/participants, which cannot be 
represented with any fixed number of dimensions of the state space. 

Based on [21], Beckert and Schlager Q\ added separate trace modalities to 
dynamic logic and presented a relatively complete calculus. Their approach only 
handles discrete state spaces. In contrast, QdTL works for hybrid programs with 
continuous and structural/dimensional dynamics. 

Davoren and Nerode |6j extended the propositional modal ^-calculus with a 
semantics in hybrid systems and examine topological aspects. In [5], Davoren et al. 
gave a semantics in general flow systems for a generalisation of CTL* [10] . In both 
cases, the authors of [BJ and [5] provided Hilbert-style calculi to prove formulas 
that are valid for all systems simultaneously using abstract actions. 



The strength of our logic primarily is that it is a first-order dynamic logic: it 
handles actual hybrid programs rather than only abstract actions of unknown effect. 
Our calculus directly supports verification of quantified hybrid programs with con- 
tinuous evolution and structural/dimensional changes. First-order dynamic logic is 
more expressive and calculi are deductively stronger than other approaches [2117] . 

3 Syntax of Quantified Differential Temporal Dynamic 
Logic 

As a formal logic for verifying temporal specifications of distributed hybrid systems, 
we introduce quantified differential temporal dynamic logic (QdTL). QdTL extends 
dynamic logic for reasoning about system runs [12] with many-sorted first-order 
logic for reasoning about all (V« :A <f>) or some (3i :A 4>) objects of a sort A, e.g., 
the sort of all aircraft, and three other concepts: 

Quantified hybrid programs. The behavior of distributed hybrid systems can be de- 
scribed by quantified hybrid programs .21 22], which generalize regular programs 
from dynamic logic [Hj to distributed hybrid changes. The distinguish feature of 
quantified hybrid programs is that they provide uniform discrete transitions, con- 
tinuous evolutions, and structural/dimension changes along quantified assignments 
and quantified differential equations, which can be combined by regular control op- 
erations. 

Modal operators. Modalities of dynamic logic express statements about all possible 
behavior ([a]7r) of a system a, or about the existence of a trace ((a)7r), satisfying 
condition it. Unlike in standard dynamic logic, a is a model of a distributed hybrid 
system. We use quantified hybrid programs to describe a as in [21122] . Yet, unlike in 
standard dynamic logic [12 or quantified differential dynamic logic (QdC) [21122] . 
7r is a trace formula in QdTL, and tt can refer to all states that occur during a trace 
using temporal operators. 

Temporal operators. For QdTL, the temporal trace formula □</> expresses that the 
formula c/> holds all along a trace selected by [a] or (a). For instance, the state 
formula («)□</> says that the state formula <j> holds at every state along at least 
one trace of a. Dually, the trace formula 00 expresses that <p holds at some point 
during such a trace. It can occur in a state formula (a)0</> to express that there is 
such a state in some trace of a, or as [a]0<^ to say that, along each trace, there is a 
state satisfying <f>. In this paper, the primary focus of attention is on homogeneous 
combinations of path and trace quantifiers like [a]D<^ or (a}()4>. 

3.1 Quantified Hybrid Programs 

QdTL supports a (finite) number of object sorts, e.g., the sort of all aircraft, or the 
sort of all cars. For continuous quantities of distributed hybrid systems like positions 
or velocities, we add the sort R for real numbers. Terms of QdTL arc built from 
a set of (sorted) function/ variable symbols as in many-sorted first-order logic. For 
representing appearance and disappearance of objects while running QHPs, we use 
an existence function symbol E(-) that has value E(o) = 1 if object o exists, and 



has value E(o) = when object o disappears or has not been created yet. We use 
0,1,+,—,- with the usual notation and fixed semantics for real arithmetic. For 
n > we abbreviate /(si, . . . , s„) by f(s) using vectorial notation and we use 
s = t for element-wise equality. 

As a system model for distributed hybrid systems, QdTL uses quantified hy- 
brid programs (QHP) 21 22 . The quantified hybrid programs occurring in dynamic 
modalities of QdTL are regular programs from dynamic logic |12j to which quanti- 
fied assignments and quantified differential equation systems for distributed hybrid 
dynamics are added. QHPs are defined by the following grammar (a, f3 are QHPs, 
6 a term, i a variable of sort A, f is a function symbol, s is a vector of terms with 
sorts compatible to /, and x is a formula of first-order logic): 

a,j8 ::= Vi :A f(s) :=9\Vi :A /(*)' = 0&x ?X I « U (3 | a; [3 | a* 

The effect of quantified assignment \/i :A f(s) := 9 is an instantaneous discrete 
jump assigning 9 to f(s) simultaneously for all objects i of sort A. The QHP 
Vi :C a(i) := a(i) + l, for example, expresses that all cars i of sort C simultaneously 
increase their acceleration a(i). The effect of quantified differential equation Vi : 
A f(s)' = 9 & x i s a continuous evolution where, for all objects i of sort A, all 
differential equations f(s)' = 9 hold and formula x holds throughout the evolution 
(the state remains in the region described by x)- The dynamics of QHPs changes 
the interpretation of terms over time: f(s)' is intended to denote the derivative 
of the interpretation of the term f(s) over time during continuous evolution, not 
the derivative of /(s) by its argument s. For f(s)' to be defined, we assume / is 
an R-valued function symbol. For simplicity, we assume that / does not occur in 
s. In most quantified assignments/differential equations s is just i. For instance, 
the following QHP expresses that all cars i of sort C drive by Vi :C x(i)" = a(i) 
such that their position x(i) changes continuously according to their respective 
acceleration a(i). 

The effect of test ?x is a skip (i.e., no change) if formula x is true in the 
current state and abort (blocking the system run by a failed assertion), otherwise. 
Nondeterministic choice a U j3 is for alternatives in the behavior of the distributed 
hybrid system. In the sequential composition a; ft, QHP f3 starts after a finishes (/3 
never starts if a continues indefinitely). Nondeterministic repetition a* repeats a 
an arbitrary number of times, possibly zero times. 

Structural dynamics of distributed hybrid systems corresponds to quantified 
assignments to function terms and we model the appearance of new participants 
in the distributed hybrid system, e.g., new aircraft appearing into the local flight 
scenario, by a program n :— new A (see |21|22j for details). 

3.2 State and Trace Formulas 

The formulas of QdTL are defined similarly to first-order dynamic logic plus many- 
sorted first-order logic. However, the modalities [a] and {a) accept trace formulas 
that refer to the temporal behavior of all states along a trace. Inspired by CTL 
and CTL* |9|10| . we distinguish between state formulas, which are true or false in 
states, and trace formulas, which are true or false for system traces. 



The state formulas of QdTL are defined by the following grammar (<^>, ip are 
state formulas, ir is a trace formula, 6±, 62 are terms of the same sort, i is a variable 
of sort A, and a is a QHP): 

</>, V "= 6*i = #2 I 61 > 2 I I </> A ^ I Vi : A 4> I 3i : A 4> \ [a]n {a)ir 

We use standard abbreviations to define <,>,<,V,— K Sorts A / 1 have no or- 
dering and only 0% — 62 is allowed. For sort R, we abbreviate Vx :K </> by Vx(f). 

The trace formulas of QdTL are defined by the following grammar (n is a trace 
formula and is a state formula): 

7T ::=(f> I \3<j) I 00 

Formulas without □ and are non-temporal QdC formulas. Unlike in CTL, state 
formulas are true on a trace if they hold for the last state of a trace, not for the first. 
Thus, [ct]<t> expresses that <f> is true at the end of each trace of a. In contrast, [a]D$ 
expresses that <p is true all along all states of every trace of a. This combination 
gives a smooth embedding of non-temporal QdC into QdTL and makes it possible to 
define a compositional calculus. Like CTL, QdTL allows nesting with a branching 
time semantics [5], e.g., [ap((Vz : C x(i) > 2) -> (/3)0(Vi : C x(i) < 0)). In the 
following, all formulas and terms have to be well-typed. For short notation, we allow 
conditional terms of the form if (f>ther\8i else 6> 2 fi (where 81 and 9 2 have the same 
sort). This term evaluates to 9\ if the formula <f> is true and to 62 otherwise. We 
consider formulas with conditional terms as abbreviations, e.g., -0(if 0then 8\ else 62) 
for {cj> -+ $(B X )) A H> -)• Tp(6 2 )). 

Example 1. Let C be the sort of all cars. By x(i), we denote the position of car i, 
by v(i) its velocity and by a(i) its acceleration. Then the QdTL formula 

(Vi :C x(i) > 0) [Vi :C = »(<),«(*)' = a(t) & v(i) > 0]D(Vi :C x(i) > 0) 

says that, if all cars start at a point to the right of the origin and we only allow 
them to evolve as long as all of them have nonnegative velocity, then they always 
stay up to the right of the origin. In this case, the QHP just consists of a quantified 
differential equation expressing that the position x(i) of car i evolves over time 
according to the velocity v(i), which evolves according to its acceleration a(i). The 
constraint v(i) > expresses that the cars never move backwards, which otherwise 
would happen eventually in the case of braking a(i) < 0. This formula is indeed 
valid, and we would be able to use the techniques developed in this paper to prove 
it. 

4 Semantics of Quantified Differential Temporal Dynamic 
Logic 

In standard dynamic logic [T2] and the logic QdC [21122] . modalities only refer to 
the final states of system runs and the semantics is a reachability relation on states: 
State r is reachable from state a using a if there is a run of a which terminates in 
r when started in a. For QdTL, however, formulas can refer to intermediate states 
of runs as well. Thus, the semantics of a distributed hybrid system a is the set of 
its possible traces, i.e., successions of states that occur during the evolution of a. 



4.1 Trace Semantics of Quantified Hybrid Programs 

A state a associates an infinite set a (A) of objects with each sort A, and it associates 
a function <x(/) of appropriate type with each function symbol /, including E(-). 
For simplicity, a also associates a value a(i) of appropriate type with each variable 
i. The domain of R and the interpretation of 0, 1, +, — , • is that of real arithmetic. 
We assume constant domain for each sort A: all states a, r share the same infinite 
domains a (A) = t(A). Sorts A / C are disjoint: a (A) n <r(C) = 0. The set of all 
states is denoted by S. The state of agrees with a except for the interpretation of 
variable i, which is changed to e. In addition, we distinguish a state A to denote 
the failure of a system run when it is aborted due to a test ?x that yields false. In 
particular, A can only occur at the end of an aborted system run and marks that 
there is no further extension. 

Distributed hybrid systems evolve along piecewise continuous traces in multi- 
dimensional space, structural changes, and appearance or disappearance of agents 
as time passes. Continuous phases are governed by differential equations, whereas 
discontinuities are caused by discrete jumps. Unlike in discrete cases |2l24j . traces 
are not just sequences of states, since distributed hybrid systems pass through un- 
countably many states even in bounded time. Beyond that, continuous changes are 
more involved than in pure real-time [1114] . because all variables can evolve along 
different differential equations. Generalizing the real-time traces of P3], the fol- 
lowing definition captures hybrid behavior by splitting the uncountable succession 
of states into periods Vi that are regulated by the same control law. For discrete 
jumps, some periods are point flows of duration 0. 

The (trace) semantics of quantified hybrid programs is compositional, that is, 
the semantics of a complex program is defined as a simple function of the trace 
semantics of its parts. 

Definition 1 (Hybrid Trace). A trace is a (non-empty) finite or infinite se- 
quence v = (vq, i>i, f2, ■ . .) of functions : [0,rfc] — > S with respective durations 
ru € M (for k e N). A position of v is a pair (k, () with k e N and £ in the interval 
[0,rfc]; the state of v at (k,() is Vk(()- Positions of v are ordered lexicographically 
by (fc,£) -< (m, £) iff either k < m, or k — m and £ < £. Further, for a state 
a G S, a : h-> a is the point flow at a with duration 0. A trace terminates if it is 
a finite sequence (vq, V\, . . . , v n ) and v n (r n ) ^ A. In that case, the last state v n (Tn) 
is denoted by last v . The first state i'o(O) is denoted by first v. 

Unlike in |l|14j . the definition of traces also admits finite traces of bounded du- 
ration, which is necessary for compositionality of traces in a; fj. The semantics of 
quantified hybrid programs a as the set fi(a) of its possible traces depends on 
valuations cr[-] of formulas and terms at intermediate states a. The valuation of 
formulas will be defined in Definition [3] Especially, we use of J-] to denote the 
valuations of terms and formulas in state of, i.e., in state a with i interpreted as e. 

Definition 2 (Trace Semantics of Quantified Hybrid Programs). The trace 
semantics, n(a), of a quantified hybrid program a, is the set of all its possible hybrid 
traces and is defined inductively as follows: 



1. [i(Vi : A f(s) := 9) = {(a, f) : a G S and state t is identical to a except 
that at each position o of f : if of [s] = o for some object e G o-(A), then 

r(/)K e w) = at\m 

2. n(Vi : A f(s)' = & \) = {(</>) : < r G K and ip : [0, r] -> 5 is a function 
satisfying the following conditions. At each time t G [0, r], state ip(t) is identical 
to (p(0), except that at each position o of f : if erf Is} = o for some object 
e G cr(A), then, at each time ( G [0,r]: 

— The differential equations hold and derivatives exist (trivial for r = 0): 

— The evolution domains is respected: <p(C)ilxl = true.} 

3. M?X) - m ■ °lxl = true} U {(*, A) : 4x] = Me} 
^. fi(aUP) = n(a) U/z(/3) 

5. /3) = jV o q : v G C G w/ien v o q is defined}; the composition of 
v = (v , h>i,v 2 , ■ ■ ■) and q = (fti , ft , ft , • • •) «s 

. . , u n ,qo,qi, . . .) i/ v terminates at v n and last v = first <r 
if v does not terminate 
not defined otherwise 

6. n(a*) = UneN/ i ( ce ™); where a n+1 := (a n ;a) for n > 1, as well as a 1 := a and 
a := (Itrue). 




4.2 Valuation of State and Trace Formulas 

Definition 3 (Valuation of Formulas). The valuation of state and trace for- 
mulas is defined respectively. For state formulas, the valuation crj-] with respect to 
state a is defined as follows: 

1. o~\6\ = 82} = true iff o-\6\\ = crj^l; accordingly for >. 

2. A ip\ = true iff o~\<f>\ — true and o~\if>\ — true; accordingly foi — 1. 

3. crJVz : A <j>l = true iff of [0] = true for all objects e G cr(A). 
4- opi :A <j>J = true iff of [</>J = true for some object e G cr(A). 

5. af[a]nj = true iff for each trace v G n(a) that starts in first v = u, if v\k\ is 
defined, then v^ttJ = true. 

6. <j\(ol)t{\ = true iff there is a trace v G starting in first v = a such that 
v\-k\ is defined and z/[7rj = true. 

For trace formulas, the valuation i/[-J with respect to trace v is defined as follows: 

1. If (f> is a state formula, then u\4>\ = last u\<p\ if v terminates, whereas u\<j)\ is 
not defined if v does not terminate. 

2. fp^] = true iff ffe(C)M = true for all positions (k, £) of v with Vk{C) ^ A. 

3. f\()4>\ = true iff Vk{Q\_4>\ — true for some position (fc,() of v with Vk{0 ^. 

As usual, a (state) formula is valid if it is true in all states. Further for (state) 
formula <f> and state a we write a |= <fi iff <r\(j)\ = true. We write a \k <t> iff cM 
= false. Likewise, for trace formula 7r and trace v we write v |= tt iff v\_it\ — true 
and v Y= n iff v\~k\ = false. In particular, we only write v |= 7r or 1^ ^= 7r if f[7r] is 
defined, which it is not the case if 7r is a state formula and v does not terminate. 



4.3 Conservative Temporal Extension 

The following result shows that the extension of QdTL by temporal operators does 
not change the meaning of non-temporal QdC formulas. The trace semantics given 
in Definition [3] is equivalent to the final state reachability relation semantics [21122] 
for the sublogic QdC of QdTL. 

Proposition 1. The logic QdTL is a conservative extension of non-temporal QdC, 
i.e., the set of valid QdC formulas is the same with respect to transition reacha- 
bility semantics of QdC [21 221 as with respect to the trace semantics of QdTL 
(Definition^. 



5 Safety Properties in Distributed Air Traffic Control 

In air traffic control, collision avoidance maneuvers |8I26| are used to resolve con- 
flicting flight paths that arise during free flight. We consider the roundabout colli- 
sion avoidance maneuver for air traffic control |26j . In the literature, formal verifi- 
cation of the hybrid dynamics of air traffic control focused on a fixed number of air- 
craft, usually two. In reality, many more aircraft are in the same flight corridor, even 
if not all of them participate in the same maneuver. They may be involved in multi- 
ple distributed maneuvers at the same time, however. Perfect global trajectory plan- 
ning quickly becomes infeasible then. The verification itself also becomes much more 
complicated for three aircraft already. Explicit replication of the system dynamics 
n times is computationally infeasible for larger n. Yet, collision avoidance maneu- 
vers need to work for an (essentially) unbounded number of aircraft. Because global 
trajectory planning is infeasible, the appearance of other aircraft into a local colli- 
sion avoidance maneuver always has to be expected and managed safely. See Fig. [1] 
for a general illustration of roundabout-style collision avoidance maneuvers and the 
phenomenon of dynamic appearance of some new aircraft z into the horizon of rele- 
vance. 

The resulting flight control system has several char- 
acteristics of hybrid dynamics. But it is not a hybrid 
system and does not even have a fixed finite number of 
variables in a fixed finite-dimensional state space. The 
system forms a distributed hybrid system, in which all 
aircraft fly at the same time and new aircraft may ap- 
pear from remote areas into the local flight scenario. 
Let A be the sort of all aircraft. Each aircraft i has 
a position x(i) — (xi(i),X2(i)) and a velocity vector 
d(i) — (di(i), d2(i))- We model the continuous dynamics 
of an aircraft i that follows a flight curve with an angu- 
lar velocity u>(i) by the (function) differential equation: 

xi{i)' = di(i),x 2 (i)' = d 2 {i),di(i)' = -u){i)d 2 {i) 1 d 2 {i)' = u(i)di(i) (^(i)^)) 




Fig. ll Roundabout collision 
avoidance maneuver with now 



appearance 



This differential equation, which we denote by JwqWj is the standard equation 
for curved flight from the literature [25] , but lifted to function symbols that are 



parameterized by aircraft i. Now the quantified differential equation Vz : A 
characterizes that all aircraft i fly along their respective (function) differential equa- 
tion F u u)(i) according to their respective angular velocities u)(i) at the same time. 
This quantified differential equation captures what no finite-dimensional differen- 
tial equation system could ever do. It characterizes the simultaneous movement of 
an unbounded, arbitrary, and even growing or shrinking set of aircraft. 

Two aircraft i and j have violated the safe separation property if they falsify 
the following formula 

V(i,j) =i=jV ( Xl {i) - x x {j)f + (x 2 (i) - x 2 {j)) 2 > p 2 

which says that aircraft i and j are either identical or separated by at least the 
protected zonep (usually 5mi). For the aircraft control system to be safe, all aircraft 
have to be safely separated, i.e., need to satisfy : A V(i,j). It is crucial that 
this formula holds at every point in time during the system evolution, not only at 
its beginning or at its end. Hence, we need to consider temporal safety properties. 
For instance, QdTL can analyze the following temporal safety properties of a part 
of the distributed roundabout collision avoidance maneuver for air traffic control: 

Vi, j :A V(i,j)AVi,j :A T(i,j) -> [Vz :A F u{i) (i)]nVi,j :A V{i,j) (1) 

Vi,i :AV(iJ) AVi,j :AT(i,j) -> 
[Mi: At := 0;Vi:A (i),t' = 1 &Vi :A t < T; ?(Vi :At = T)pVt, j :A T(i,j) 

(2) 

where T{i,j) =di(i)-di(j) = -uj(x 2 (i) -x 2 (j)) Ad 2 (i) -d 2 (j) =u(xi(i)-Xi(J)), 
t is a clock variable, and T is some bounded time. 

The temporal safety invariant in ([!]) expresses that the circle phase of round- 
about maneuver always stays collision-free indefinitely for an arbitrary number of 
aircraft. That is the most crucial part because we have to know the aircraft always 
remain safe during the actual roundabout collision avoidance circle. The condition 
Vi, j : A T{i,j) characterizes compatible tangential maneuvering choices. Without 
a condition like T(i,j), roundabouts can be unsafe [20] . For a systematic derivation 
of how to construct T(i,j), we refer to the work [20] . As a variation of ((T|), the 
temporal safety property in @ states that, for an arbitrary number of aircraft, the 
circle procedure of roundabout maneuver cannot produce collisions at any point in 
its bounded duration T. This variation restricts the continuous evolution to take 
exactly T time units (the evolution domain region restricts the evolution to t < T 
and the subsequent test to ?(Vi : A t = T)) and no intermediate state is visible 
as a final state anymore. Thus, the temporal modality □ in @ is truly necessary. 
We will use the techniques developed in this paper to verify these temporal safety 
properties in the distributed roundabout flight collision avoidance maneuver. 

6 Proof Calculus for Temporal Properties 

In this section, we introduce a sequent calculus for verifying temporal specifica- 
tions of distributed hybrid systems in QdTL. With the basic idea being to perform 



a symbolic decomposition, the calculus transforms quantified hybrid programs suc- 
cessively into simpler logical formulas describing their effects. Statements about 
the temporal behavior of a quantified hybrid program are successively reduced to 
corresponding non-temporal statements about the intermediate states. 

6.1 Proof Rules 

In Fig. [2l we present a proof calculus for QdTL that inherits the proof rules of 
QdC from |21l22j and adds new proof rules for temporal modalities. We use the 
sequent notation informally for a systematic proof structure. A sequent is of the 
form F — Y A, where the antecedent P and succedent A are finite sets of formulas. 
The semantics of _T — > A is that of the formula A^g-T — * Vi/>ezi V> an d w iU 
be treated as an abbreviation. As usual in sequent calculus, the proof rules are 
applied backwards from the conclusion (goal below horizontal bar) to the premises 
(subgoals above bar). 

Inherited Non-temporal Rules The QdTL calculus inherits the (non-temporal) 
QdC proof rules. For prepositional logic, standard rules ax-cut are listed in Fig. [2j 
Rules [;]-(?) work similar to those in [12]. Rules ['],(') handle continuous evolu- 
tions for quantified differential equations with first-order definable solutions. Rules 
[:=]-(:*) handle discrete changes for quantified assignments. Axiom ex expresses 
that, for sort A ^ R, there always is a new object n that has not been created 
yet (E(n) = 0), because domains are infinite. The quantifier rules Vr-i3 combine 
quantifier handling of many-sorted logic based on instantiation with theory reason- 
ing by quantifier elimination (QE) for the theory of reals. The global rules []gen, 
Qgen are Godel generalization rules and ind is an induction schema for loops with 
inductive invariant <f> |12j . Similarly, con generalizes Harel's convergence rule |12) 
to the hybrid case with decreasing variant ip [19] . DI and DC are rules for quanti- 
fied differential equations with quantified differential invariants }21|22] . Notice that 
[U], (U) can be generalized to apply to formulas of the form [a U (3}tt where it is an 
arbitrary trace formula, and not just a state formula as in QdC. Thus, n may begin 
with □ and 0, which is why the rules are repeated in this generalized form as [U]n 
and (U)o in Fig. d 

Temporal Rules The new temporal rules in Fig. [5] for the QdTL calculus suc- 
cessively transform temporal specifications of quantified hybrid programs into non- 
temporal QdC formulas. The idea underlying this transformation is to decompose 
quantified hybrid programs and recursively augment intermediate state transitions 
with appropriate specifications. 

Rule [;]□ decomposes invariants of a; fJ (i.e., [a;/3]D0 holds) into an invariant 
of a (i.e., [a]D0) and an invariant of fJ that holds when /3 is started in any final 
state of a (i.e., [«]([/?]□</>)). Its difference with the QdC rule [;] thus is that the 
QdTL rule [;]□ also checks safety invariant <f> at the symbolic states in between 
the execution of a and j3, and recursively so because of the temporal modality □. 
Rule [:=]□ expresses that invariants of quantified assignments need to hold before 
and after the discrete change (similarly for [?]□, except that tests do not lead to a 
state change, so <f> holding before the test is all there is to it). Rule [']□ can directly 



{ax) ™ ^ ™ ^ (Ar) ^a~*/ (A1) (cUt) 

([;]) {« «;» ^ CM) <^Jg* «u» am ^* ({?» ^ 

[a;i8]0 (a;P)<t> [a U /3}(/> (aU/3)4> [?x]<t> <-'x>0 

Vt > 0((V0 < t < t[Vi :A 5(t)] X ) -> [Vi : A 5(t)]0) _ 3j > 0((V0 < t < t(Vi : ,4 <S(t)) X ) A (V* : A 5(t))0) t 

[Vi:A/(a)' = 9& X ]^ (Vi : A /(a)' = 6 Hz x)4> 

if 3j :A s = [A]u then Vi :A (s = [^4]u -» 0(9)) else 0(/([-4]m)) fU 
Q: ~ J) Wi ■ A /(a) := 8}f( u )) U 

if 3i : A s = (A)u then 3i :A (s = <A)u A 0(6)) else 0(/((A}u)) fi 2 
((:_>) <«<Vi:A/(a) : =6>/(n)) 

r([Vi=A/(.) :=9]u) ., Vj=A^(9) 3j=A^(fl) true 

V ; [Vi : A /(a) ~ elTCu) 1 - 1 [Vj :A n : = 0]$(n) (Vj :A n := 9)tp(n) V 3ri : A E(n) = 

1 r) r -y Va;</<(a;),Zi U I rj r -> 3:z0(:z),Zi 1-11 ' r,Vx<p(x) -> A [ ' F, Bx<f>(x) — > A 

QE(VX, y (if 8 = t then j>(X) -> gpQ else -j- g(y) fi)) - QE(3X A,(^ -> p. 

U ' *(/(«)) -> #(/(*)) *1 ->• *1 • • ■ *n "> ^ 

([]s e ") n r n f — r~; — a ((>9 en ) r. / v , rr^ — * ( md ) tt-t , . (con) 



r, [a]0 -> [a]^>,4 r, <a)<£ {a)4>,A r, <f> -y [a*]<f>, A r, 3d ip{v) -> (a* )3u < Oy(i;), 4 

x ^[Vi : A/(s)' :=fl]D(,j>) - — » [Vi : A /(a)' = 9 fc X ]i/, — » [Vi : A /( s )' = 6 fc X A V# 

0^[V l: A/(a)' = 9& x ]0 ->■ [V» :A /(a)' = e & x]0 

([|inrt NTA[ffl7t m <a)7rV< / 3) 1 r l0 [a]D0 A [a][/3]D0 ^ v ^ (a) 00 V (a) </3)O0 



[a U /3j7r (a U p)7r [a; /3JU0 (a: f3)Q<p 



^A[Vi:A/( S ):=g]0 0V(Vi:A/(s) 



[Vi :A /(s) := 0]U6 M ' y (Vi : A /(s) := ^)O0 
(< >o) 



[Vi :A f(s)> - e&r X ]n<P (it: A /(*)' -^& X )O0 
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t^i are new variables. Vi : A S(t) is the quantified assignment : A f(s) :— y a (t) with solutions 
y s (t) of the (injective) differential equations and /(s) as initial values. See |21|22l for the definition 
of a injective quantified assignment or quantified differential equation. 

Occurrence f(u) in <p(f(u)) is not in scope of a modality (admissible substitution) and we abbreviate 
assignment Vi :A f(s) :— 9 by A, which is assumed to be injective. 

3 

f ^ T and the quantified assignment Vi : A f{s) :— 6 is injective. The same rule applies for 

(Vi :A /(a) := 9) instead of [Vi :A f(s) := 6]. 
^ / is a new (Skolem) function and X±, . . . , X n arc all free logical variables of Vx 

6 is an abbreviate term, often a new logical variable. 
^ X, Y are new variables of sort R. QE needs to be applicable in the premises. 

Among all open branches, the free (existential) logical variable X of sort K only occurs in the branch 

3>i —j- QE needs to be defined for the formula in the premises, especially, no Skolem dependencies 

on X occur. 



logical variable v does not occur in oc. 
The operator 
algebraically. 
7r is a trace 

may thus begin with a temporal modality □ or <>■ 

Fie;. 2: Rule schemata of the proof calculus for quantified differential temporal dynamic logic 



The operator D, as defined in 21 22 , is used to computer syntactic total derivations of formulas 
^ 7r is a trace formula, whereas and ip arc (state) formulas. Unlike tp an d ^, the trace formula 7r 



reduce invariants of continuous evolutions to non-temporal formulas as restrictions 
of solutions of quantified differential equations are themselves solutions of different 
duration and thus already included in the continuous evolutions of Vi :A f(s)' = 8. 
The (optional) iteration rule [*"]□ can partially unwind loops. It relies on rule [; ]□. 



The dual rules (U)©,(; )o,(:=)o,(?)o,(')o,(*")o work similarly. Rules for handling 
[a]0</> and (a)D</> are discussed in Section [5] 

The inductive definition rules [*]□ and (*)© completely reduce temporal prop- 
erties of loops to QdTL properties of standard non-temporal QdC modalities such 
that standard induction (ind) or convergence (con) rules, as listed in Fig. [2] can 
be used for the outer non-temporal modality of the loop. Hence, after applying the 
inductive loop definition rules [*]□ and {*}©, the standard QdC loop invariant and 
variant rules can be used for verifying temporal properties of loops without change, 
except that the postcondition contains temporal modalities. 

6.2 Soundness and Completeness 

The following result shows that verification with the QdTL calculus always pro- 
duces correct results about the safety of distributed hybrid systems, i.e., the QdTL 
calculus is sound. 

Theorem 1 (Soundness of QdTL). The QdTL calculus is sound, i.e., every 
QdTL (state) formula that can be proven is valid. 

The verification for temporal safety ([«]□</> or (a)()4>), temporal liveness ([a]0^ 
or (a)0(f>), and non-temporal ([ot]<f> or {a)4>) fragments of distributed hybrid sys- 
tems has three independent sources of undecidability. Thus, no verification tech- 
nique can be effective. Hence, QdTL cannot be effectively axiomatizable. Both its 
discrete and its continuous fragments alone are subject to Godel's incompleteness 
theorem |19j . The fragment with only structural and dimension-changing dynamics 
is not effective either, because it can encode two-counter machines. 

QdC has been proved to be complete relative to quantified differential equa- 
tions [21122] . Due to the modular construction of the QdTL calculus, we can lift 
the relative completeness result from QdC to QdTL. We essentially show that QdTL 
is complete relative to QdC, which directly implies that QdTL calculus is even com- 
plete relative to an oracle for the fragment of QdTL that has only quantified dif- 
ferential equations in modalities. Again, we restrict our attention to homogeneous 
combinations of path and trace quantifiers like [a]D<^ or (a}0</>- 

Theorem 2 (Relative Completeness of QdTL). The calculus in Fig. [H is a 
complete axiomatization of QdTL relative to quantified differential equations. 

This result shows that both temporal and non-temporal properties of distributed 
hybrid systems can be proven to exactly the same extent to which properties of 
quantified differential equations can be proven. It also gives a formal justification 
that the QdTL calculus reduces temporal properties to non-temporal QdC proper- 
ties. 

7 Verification of Distributed Air Traffic Control Safety 
Properties 

Continuing the distributed air traffic control study from Section[5j the QdTL proofs 
of the temporal safety invariant in (JXJ) and the temporal safety property in ([5} arc 



presented in Fig. [3] and Fig. 21 respectively (for the purpose of simplifying the 
presentation, we ignore typing information A for aircraft in the proof, because 
it is clear from the context). Note that temporal and non-temporal properties of 
the maneuver cannot be proven using any hybrid systems verification technique, 
because the dimension is parametric and unbounded and may even change dynam- 
ically during the remainder of the maneuver. The single proof in Fig. [3] or Fig. U 
corresponds to infinitely many proofs for systems with n aircraft for all n. 

Our proofs show that the distributed roundabout maneuver always safely avoids 
collisions for arbitrarily many aircraft (even with dynamic appearance of new air- 
craft). The above maneuver still requires all aircraft in the horizon of relevance 
to participate in the collision avoidance maneuver. In fact, we can show that this 
is unnecessary for aircraft that are far enough away and that may be engaged in 
other roundabouts. Yet, this is beyond the scope of this paper. 

true 

Vi,jT(i,j) -> Vi, j(2(x 1 (i) - x 1 U))(-^(x 2 (i) - x 2 (j))) + 2(x 2 (i) - x 2 U))u(x 1 (i) - xijj]) > 0) 
Vi,jT(i,j) ->_Vi 1 j(0 = A2Qri(i) - - rfi(j)) + 2(x 2 (i) - x 2 (j))(d 2 (i) - d 2 (j)) > 0) 

Vi,jT(i,j) [Vi£(i)]Vi,j(i' = j' A2(n(j) -xi0'))(xi(i)' -xxti)') + 2(x 2 (i) - x 2 (j))(x 2 (i)> - x 2 (j)') > 0) 

R t I^£ 

Vi, j{-uid 2 (i) - (~u)d 2 (j)) = -u{d 2 (i) - d 2 (j)) A wdi(-i) - udi(j) — - di(j))) 

[Vi£(i)]Vi,i(di(i)' - di(j)' = -u(x 2 (*)' - x 2 (j) r ) A d 2 (i)' - d 2 (j)' = u(xi(t)' - xi(j)')) 

\. 

1 1 [V»£(^)](V^,J^r(^,3^)) , 1 1 Vi, j T(i, j) -» [Vi £(i)] (Vi, i))' 

Vi. J y(i, j) A Vi, j 7~(i, j) ->■ [Vi^ (i)JV», j T(i, j) J/ Vi, j ^(i, j) A Vi, j T(i, j) ->■ [Vi T„ (i) fe Vi, j T(i, j)]Vi, j 7>(i, j) 

ViJVihJ) A Vi,3T(i,j) -> [Vi^(i)]Vi, j"P(i, j) 
ll ° AVi,jT(i,j) -> [Vi^ M (i)]DVi,j-p(i,i) 

Abbreviation: £(z) = afi (i) := c?i (i), JEa^)' daCi)) <2i (*) : — — wc?2 (*) » (?) :— Ljrfi(i) 
Fig. 3: Proof for temporal collision freedom of roundabout collision avoidance maneuver circle 




8 Liveness by Quantifier Alternation 

Liveness specifications of the form [a] ()(j> or (a)D<p are sophisticated (i7j-hard 
because they can express infinite occurrence in Turing machines). Beckert and 
Schlager [2J, for instance, note that they failed to find sound rules for a discrete 
case that corresponds to [a; /3]O0. 

For finitary liveness semantics, we can still find proof rules. In this section, 
we modify the meaning of [a] ()<j) to refer to all terminating traces of a. Then, the 
straightforward generalization [;]© in Fig. [5] is sound, even in the hybrid case. But 
[; ]© still leads to an incomplete axiomatization as it does not cover the case where, 
in some traces, <j) becomes true at some point during a, and in other traces, <fi 
only becomes true during /3. To overcome this limitation, we use a program trans- 
formation approach. We instrument the quantified hybrid program to monitor the 



X A Vi, j T(i, j) -> Vi,j(2{x 1 (i) - x 1 (j))(-Lo(x 2 (i) - x 2 (j))) + 2(s 2 (i) - x 2 U))ui(x 1 (i) - > 0) 

X A Vi,jT(i, 3 ) -» Vi,j(0 — OA 2(xi(i) - 3 ; 1 (j))(rf 1 (i) - rfxQ')) + 2(x 2 (i) - x 2 (j))(rf 2 (i) - d 2 (j)) > 0) 
XAVi,jT(i,j) -> [Vi/C(i)]Vi,j(i' = / A2( I1 (i) -x 1 (j)') + 2(x 2 (i) - x 2 (j))(x 2 (i)' - x 2 (j)') > 0) 



X Vi,j(-u)d 2 (i) - (-wd 2 (j)) = -w(d 2 (i) - d 2 (j)) A wdi(i) - wdi(j) = w(di(i) - di(j))) 
X [y»JC(i)]Vi,j(di(i)' - d^j)' = -u(x2(i)' - xzUY) Ad 2 (i)' - d 2 (j)' = ai(n(i)' - 



X -> [Vi/C(i)](Vi, jT(i, j))' X A Vi, j T(i, j) -> [Vi K(i)] (Vi, 3 T(i, j))' 



Vi, j y(i, j) A Vi, j T(i, j) -» [ViA-<(i) fcx]Vi,jT(i, j) Vi, j P(i, j) A Vi, j T(i, j) -> [Vi -M(i) fc x A Vi, j T(i, j)]Vi, j 7>(i, j) 

^ Vi,jV(i,j) AVi,jT(i,j) -J- [ViM(i)&x]Vi,jP(i,j) ^ 



Vi,jV{i,j) AVi,jT(i,j) -> [ViX(i)& x ]Vi,jP(i,j) r „ lrn r _ n Vi,j7'(i,j)AV»,jr(i,j)-»-[V*A4(*)&x]V»,j7'(i,j) 



Vi, j7>(», j) A Vi, j T(i, j) -> [Vit := 0][ViM(i) & x]DVi, j "P(i, j) Vi,jV(i,j) A Vi, j T(i, j) -> [Vit := 0][Vi.M(i) & x] [?»?]□ Vi, j 7>(i, j) 

Vi, j V(i, j) A Vi, j T(i, j) [Vit ~ 0] [Vi A4(i) & x; ?»?]□ Vi, j P(i, j) 

true 

ax - 



Vi, jV(i, j), Vi, jT(i,j) ->■ Vi, j"P(i, j) Vi, j V(i, j),Vi, j T(i, j) ^ Vi, jV(i, j) 

Al ^. — — — — — — — — - [:=],A1- 



3 Vi, j -P(i, j) A Vi, j T (i, j) -» Vi, j V(i, j) Vi, j V(i, j) A Vi, j T(i, j) — > [Vit := 0]Vi, j V(i, j) 



Vi,jV(i.j) AVi,jT(i,j) -> [Vit := 0]DVi. j P(i, j) 
/ 



Vi, 3 V(i,j) AVt,jT(i,j) -» [Vit :=0]DVi,j7>(i,j) Vi,jV(i,j) AVi,jT(i,j) -» [Vit |= 0] [Vi.M(i) fc x; ?»?]DVi, j) 

Vi,jV(i,j) AVi,jT(i,j) -¥ [Vit := 0; ViM(i) & x; ?»?PVi, j 7>(i, j) 

Abbreviations: .M(i) = -^(i) (*) > — 1 

X = Vi t < T 
?7 = Vi t = T 

/C(i) = Xi(i)' :— di(i), x 2 (i)' :— tt 2 (i), £ti(i)' :— —uid 2 (i), d 2 (i)' :— uidi(i), t' :— 1 

Fig. 4: Proof for temporal collision freedom of roundabout collision avoidance maneuver circle in 
bounded time 



occurrence of <f> during all changes: In [a]o, a results from replacing all occurrences 
of Vi :A f(s) := 9 with Vi :A f(s) := 9; ?(4> -> t = 1) and Vi :A /(s)' = 6>&x with 
Vi : A f(s)' = 9 & x A {<p — > t = 1). The latter is a continuous evolution restricted 
to the region that satisfies \ and (f> — > t = 1. The effect is that t detects whether 
4> has occurred during any change in a. In particular, t is guaranteed to be 1 after 
all runs if </> occurs at least once along all traces of a. 

9 Conclusions and Future Work 

For reasoning about distributed hybrid systems, we have introduced a temporal 
dynamic logic, QdTL, with modal path quantifiers over traces and temporal quan- 
tifiers along the traces. It combines the capabilities of quantified differential dy- 
namic logic to reason about possible distributed hybrid system behavior with the 



-» [q]Q0, [a][/3]O0 0VVt:R[q]t = l 

Fig. 5; Transformation rules for alternating temporal path and trace quantifiers 



power of temporal logic in reasoning about the behavior along traces. Furthermore, 
we have presented a proof calculus for verifying temporal safety specifications of 
quantified hybrid programs in QdTL. 

Our sequent calculus for QdTL is a completely modular combination of tem- 
poral and non-temporal reasoning. Temporal formulas are handled using rules 
that augment intermediate state transitions with corresponding sub-specifications. 
Purely non-temporal rules handle the effects of discrete transitions, continuous 
evolutions, and structural/dimension changes. The modular nature of the QdTL 
calculus further enables us to lift the relative completeness result from QdC to 
QdTL. This theoretical result shows that the QdTL calculus is a sound and com- 
plete axiomatization of the temporal behavior of distributed hybrid systems relative 
to differential equations. As an example, we demonstrate that our logic is suitable 
for reasoning about temporal safety properties in a distributed air traffic control 
system. 

We are currently extending our verification tool for distributed hybrid systems, 
which is an automated theorem prover called KeYmaeraD [25], to cover the full 
QdTL calculus. Future work includes extending QdTL with CTL*-like [10] formulas 
of the form [a] (i/j A □(/>) to avoid splitting of the proof into two very similar sub- 
proofs for temporal parts [a]D</> and non-temporal parts [a]ip arising in [;]□. Our 
combination of temporal logic with dynamic logic is more suitable for this purpose 
than the approach in [2] , since QdTL has uniform modalities and uniform semantics 
for temporal and non-temporal specifications. This extension will also simplify the 
treatment of alternating liveness quantifiers conceptually. 
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A Proof of Conservative Temporal Extension 



A.l Reachability Semantics of QdC 

In this subsection, we review the reachability semantics of QdC given in [21122] 
before proving Proposition Q] in the next subsection. 

Definition 4 (Reachability Semantics of QHP). The reachability semantics, 
p(a), of QHP a, is a transition relation on states. It specifies which state r G S is 
reachable from a state a G S by running QHP a and is defined as: 

1. (<7, t) G p(Wi :A f(s) := 9) iff r is identical to cr except that at each position 
o off: ifaflsj = o for some object e G a(A), then r(/)(of[sJ) = <7?[0]. // 
there are multiple objects e giving the same position of [sj = o, then all of the 
resulting states r are reachable. 

2. (cr, t) G p(Vi : A f{s)' = 9 & x) iff there is a function ip : [0, r] — > S for 
some r > with <p(0) = a and fir) = t satisfying the following conditions. 
At each time t G [0, r], state tp(t) is identical to a, except that at each position 
o of f : if af\s\ — o for some object e G cr(A), then, at each time £ G [0, r]: 

— The differential equations hold and derivatives exist (trivial for r = 0): 

— The evolution domains is respected: y'COilx] = t rue - 

If there are multiple objects e giving the same position cr^fs^ = o, then all of 
the resulting states t are reachable. 

3. p(?x)={(^):%] = M 
I p(aU0)=p(a)Up{j3) 

5. p(a; (3) — {(a, r) : (cr, z) G p(a) and (z, t) G p(/3) for a state z.} 

6. (cr, t) G p(a*) iff there is an n G N with n > and there are states a = 
cr , . . . , cr„ = t such that (cr,, cr i+1 ) G pipt) for all < i < n. 

Definition 5 (Valuation of QdC Formulas). The valuation of QdC formula 4> 
with respect to state a is defined as follows: 

1. o~\6x = 62J — true iff o-\9\\ — cr[02l/ accordingly for >. 

2. o~\4> A ipj = true iff cr[0J = true and cr[-0J = true; accordingly for -1. 

3. cr[Vz :A <pj = true iff of [0J = ^ rue f or a ^ objects e G o~(A). 
4- crpi :A <pj = true iff of [0J = ^ rue f or some object e G o{A). 

5. crJ[a]0J = true iff r[0] = true for all states r with (cr, t) G p{a). 

6. a\{a)4>\ = true iff t[(/)] = true for some t with (cr, t) G pipt). 



A. 2 Extension Proof 

The proof of Proposition [T] uses the following lemma about the relationship of 
reachability and trace semantics of QdTL programs, which agree on initial and 
final states. 



Lemma 1. For QHP a, we have 



p(a) = {(first v, last z/) : v € p[a) terminates.} 
Proof. The proof follows an induction on the structure of a. 

— The cases Vi : A f(s) := 9, Vi : A f(s)' = 9 & x> an d a U /3 are simple by 
comparing the Definition 2 and Definition 4. 

— For ?x, the reasoning splits into two directions. For the direction "D" , assume 
v G ju(?x)- We distinguish between two cases. If first v\x\ = true, then = (<r) 
has length one, last v = first v, and (first v, last ^) G /o(a). If, however, first v\\\ 
— false, then v — (a, A) does not terminate, hence, there is nothing to show. 
Conversely, for "C", assume (a, a) G /o(?x), t nen °~ixl = true and (ct) G p(^x) 
satisfies the conditions on v. 

— For a; /3 and the direction "2", assume that v o <; g p{a;j3) terminates with 
v G /i(a),^ G £t(/3), and last ^ = first Then, by induction hypothesis, we 
can assume that (first v, last v) G pip), and (first last <;) G p((3). By the 
semantics of sequential composition, we conclude (first voq, last vocA G p(a; /3). 
Conversely, for "C", assume that (a, r) G p(a;f3), i.e., let (a, z) G p{a) and 
(z,r) G p(f3). By induction hypothesis, there is a terminating trace v G /i(a) 
with first v — a and last v = z. Further, by induction hypothesis, there is a 
terminating trace <; G p((3) with first z, = z and last <; — r. Hence, z^o<; g /i(a; /3) 
terminates, first z/ o <; = a and last v o q = t. 

— The case a* is an inductive consequence of the sequential composition case. 

Proof (of Proposition]^). The formulas of Qd£ are a subset of the QdTL formulas. 
In the course of this proof, we use the notation <7Qdc[-] to indicate that the QdC 
valuation from Definition [5] is used. For QdC formulas tp, we show that the valua- 
tions with respect to Definition 3 and with respect to Definition 5 are the same for 
all states a: 

o"M = VQdcbPi for a11 a - 

We prove this by induction on the structure of if). The cases 0\ = 02, 0\ > #2, _, ^ ) <M 
ip,Vi : A cf),3i : A (f> of state formulas are obvious. The other cases are proven as 
follows. 

— If ip has the form [a]4>, assume that c [[«]</)]] = false. Then there is some termi- 
nating trace v G p{a) with first v — a such that last v\t$\ = false. By induction 
hypothesis, this implies that last i/Qdc[</>] = false. According to Lemma 1, (a, 
last v) G p{a) holds, which implies o-Qdc[ [«]</>]] = false. For the converse direc- 
tion, assume that CQd£[[c*]0] = false. Then there is a (a, r) G p{a) with TQd£[</>] 
= false. By Lemma 1, there is a terminating trace v G p{ct) with first v = a and 
last v = r. By induction hypothesis, last v\4>\ = false. Thus, we can conclude 
that both v\<fr\ = false and ^[[a]</>] = false. 

— The case ip = {a)4> is proven accordingly. 



B Proof of Soundness and Completeness 



B.l Proof of Soundness 

Proof (Proof of Theorem Qp. We show that all rules of the QdTL calculus are 
locally sound, i.e., for all states <r, the conclusion of a rule is true in state a when 
all premisses are true in a. Let a be any state. For each rule we have to show that 
the conclusion is true in er assuming the premisses are true in a. Inductively, the 
soundness of the non-temporal rules follows from Proposition[T]and local soundness 
of the corresponding rules in QdC [21j22]. The proof for the generalization in [U] 
and (U) to path formulas 7r is a straightforward extension. 

— [;]□ Assume a \= and a |= [a][/3]D0. Let v £ i.e., v ~ goz, with 
first v = a, g £ /i(a), and £ A*(/3). If Q does not terminate, then i/ = g£ A*( a ) 
and v \= □</> by premise. If g terminates with last g — first then g \= □</) by 
premise. Further, we know a |= [a] [/?]□</>. In particular for trace g £ IJ-(cx), we 
have last g \= [/?]□</>. Thus, <^ |= D0 because <j £ n([3) starts at first ? = last g. 
By composition, g o ? |= . As v = g o <j was arbitrary, we can conclude 
<j |= [a;/3]D0. The converse direction holds, as all traces of a are prefixes of 
traces of a; /3. Hence, the assumption a |= [a; /?]□</> directly implies <r |= [a]D0. 
Further, all traces of (3 that begin at a state reachable from a by a are suffixes 
of traces of a; j3 that start in a. Hence, a \= [a][/3]n<fr is implied as well. 

— [?]□ Soundness of [?]□ is obvious, since, by premise, we can assume a \= (f>, and 
there is nothing to show for A states according to Definition 3. Conversely, a 
is a prefix of all traces in /x(?x) that start in a. 

— [:=]□ Assuming a |= (f> and a |= [Vi : A f(s) :— 0]<f>, we have to show that 
a \= [Vi :A f(s) :— #]□</>. Let v £ /i(Vi : A f(s) := 9) be any trace with first v 
= a, i.e., v = (<T,f) by Definition 2. Hence, the only two states we need to 
consider are Uq(0) = a and ^i(O) = r. By premise, uq(0) — a yields z^o(0) |= <f>. 
Similarly, for the state ^i(O) = last v = r, the premise gives ^i(O) |= (p. The 
converse direction is similar. 

— [']□ We prove that [']□ is locally sound by contraposition. For this, assume 
that a \/= [Vi : A f(s)' = 9 & x]D0; then there is a trace v = (ip) £ /i(Vi : 
A f(s) 1 = 9 & x) starting in first v = a and a \/= □</). Hence, there is a position 
(0, C) of v with ^o(C) ^ 4>- Now ip restricted to [0, Q also solves the quantified 
differential equation Vi : A f(s)' = 9 Szx- Thus, (v 3 1 [o,c] ) 4> &s f(0 §■> smce 
the last state is (p(()- By consequence, this gives a ^ [ Vi : A f(s)' = 9 & x]4>- 
The converse direction is obvious as last v always is a state occurring during 
v. Hence, a \/= [Vi :A f(s)' = 9 k,x]4> immediately implies a ^ [Vi :A f(s)' = 

— [*"]□ By contraposition, assume that a ^= [a*]D0. Then there is an n £ N and 
a trace v £ fi(ct n ) with first v — a such that v ^ □</>. There are two cases. If 
n > then v £ /x(a;a*), and thus a ^= [a;a*]D0. If, however, n — 0, then 
v = (<t) and cr y= (f>. Hence, all traces c, £ /i(a;a*) with firsts = a satisfy 
? Oip. Finally, it is easy to see that all programs have at least one such trace 

that witnesses a ^= [a; a*]D</>. The converse direction is easy as all behaviour 
of a;a* is subsumed by a*, i.e., fj,(a;a*) C [i(a*). 



— [*]□ Clearly, using the fact that /i(a*) 3 /i(a*;a), the set of states along the 
traces of a* at which <fi needs to be true for the premise is a subset of the 
corresponding set for the conclusion. Hence, the conclusion entails the premise. 
Conversely, all states during traces of a* are also reachable by iterating a 
sufficiently often to completion and then following a single trace of a. In detail: 
If a Y= [«*]□</>. then there is a trace v £ n(ce*) on which -i0 holds true at some 
state, say, at VkiCt 7^ A. Let n > be the (maximum) number of complete 
repetitions of a along v before discrete step index k. That is, there is some 
discrete step index k n < k such that the prefix g = (i/q, ■ • ■ , Vk n ) S ^{<^ n ) of v 
consists of n complete repetitions of a and the suffix <; = {vk n+1 , ^fc„ +2 > • • •) € 
//(a*) starts with a trace of a during which -i(f> occurs at point Vk(C), namely at 
relative position (k— (k n + 1), £). Let ? S ^(a) be this prefix of Consequently, 
4 \= (a)0~"/> and the trace g o q is a witness for <r |= (a*)(a)O _, 0- 

The proofs for (; )©-(*)© are dual, since (a) 00 is equivalent to -i[a]D-i0 by duality. 
B.2 Proof of Relative Completeness 

Proof ( Outline of Proof of Theorem\^). The proof is a simple extension of the proof 
of Theorem 1 in [22], which is the relative completeness theorem for Qd£, because 
the QdTL calculus successively reduces temporal properties to non-temporal prop- 
erties and, in particular, handles loops by inductive definition rules in terms of 
QdC modalities. The temporal rules in Fig. [^transform temporal formulas to sim- 
pler formulas, i.e., to where the temporal modalities occur after simpler programs 
([U]n, [*]□, (U)o, (*)o) or disappear completely ([?]□, [:=}a, [']□ and (?)©, (:=)©, 
(')o). Hence, the inductive relative completeness proof for QdC in j^l] directly gen- 
eralizes to QdTL with the following addition: After applying [*]□ or (*)o, loops 
are ultimately handled by the standard QdC rules ind and con. To show that suffi- 
ciently strong invariants and variants exist for the temporal postconditions 
and {a)()4>, we only have to show that such temporal formulas are expressible in 
the first-order logic of quantified differential equations, FOQD [22] . 



C Proofs for Liveness Verification by Quantifier Alternation 

In this section, we prove that the rules in Section 8 are sound. 

Proposition 2 (Local soundness). The rules in Section 8 are locally sound for 
finitary liveness semantics. 

Proof. Let a be any state. 

— [; ]o Assuming that the premiss is true, we need to consider two cases corre- 
sponding to the two formulas of its succedent. If a \= [a] Q(f>, then obviously 
o~ \= [a; f3]()<j>, as every trace of a; (3 has a trace of a as prefix, during which 
(f> holds at least once. If, however, a \= [a][/3]0<£, then <j> occurs at least once 
during all traces that start in a state reachable from a by a. Let go^ e /j,(a; (3) 
with first g = a, g G (i>(ot) and <; G fJ>(P). In finitary liveness semantics, go<; can 
be assumed to terminate (otherwise there is nothing to show). Then, last g is 
a state reachable from a by a, hence <; \= ()<f>. Thus, g o <; \= ()<j>. 

— [a]o For the soundness of [a]o, first observe that the truth of c[0J of <f> depends 
on the state a, hence it can only be affected during state changes. Further, the 
only actual changes of valuations happen during discrete jumps Vi :A f(s) := 9 
or continuous evolutions Vi : A f(s)' = #&x- ^ u other system actions only cause 
control flow effects but no elementary state changes. Assume the premise is true 
in a state a. If o |= 4>, the conjecture is obvious. Hence, assume a (= Vt :K [a]t = 
1. Suppose g y= {a](jr, then there is a trace v G fi(a) with v y= ()<f>. Then, this 
trace directly corresponds to a trace v of a in which all <f> — > t = 1 conditions 
arc trivially satisfied as <p never holds. As there are no changes of the fresh 
variable t during d, the value of t remains constant during v. But then we can 
conclude that there is a trace, which is essentially the same as v except for the 
constant valuation of the fresh variable t on which no conditions are imposed, 
hence t = is possible. As these traces terminate in finitary liveness semantics, 
we can conclude u ^= Vt : M. [a]t = 1, which is a contradiction. Conversely for 
equivalence of premiss and conclusion, assume a \£ <p v : R [a]t — 1. Then, 
the initial state a does not satisfy <j) and it is possible for a to execute along 
a terminating trace v that permits t to be ^ 1. Suppose there was a position 
(k, C) of v at which Vk{C) \= <j>- Without loss of generality, we can assume (k, () 
to be the first such position. Then, the hybrid action which regulates is 
accompanied by an immediate condition that <p — > t = 1 , hence t = 1 holds if v 
terminates. Since the fresh variable t is rigid (is never changed during a) and 
v terminates in finitary liveness semantics, we conclude last uft} = 1, which is 
a contradiction. 



